AddDefaultCharset UTF-8 ############################# REWRITE AND REDIRECTION ############################# RewriteEngine on RewriteBase / # Force non-www RewriteCond %{HTTP_HOST} ^www\. RewriteCond %{HTTPS}s ^on(s)|off RewriteCond http%1://%{HTTP_HOST} ^(https?://)(www\.)?(.+)$ RewriteRule ^ %1%3%{REQUEST_URI} [L,R=301] # Force HTTPS #RewriteCond %{HTTPS} !on #RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} # Remove Trailing Slash RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} (.+)/$ RewriteRule ^ %1 [L,R=301] # Router RewriteCond %{REQUEST_FILENAME} .php$ [OR] RewriteCond %{REQUEST_FILENAME} !-f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^(.*)$ index.php [L,QSA] ############################# SECURITY ############################# # Deny Access to Hidden Files and Directories #RedirectMatch 404 /\..*$ # Deny Access to Backup and Source Files ## Apache 2.2 Order allow,deny Deny from all Satisfy All ## Apache 2.4 # Require all denied # Disable Directory Browsing Options -Indexes # Set secutiry headers Header set Referrer-Policy "same-origin" Header set X-Frame-Options "SAMEORIGIN" Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set Content-Security-Policy "frame-ancestors 'self'" Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" ############################# PERFORMANCE ############################# # Compress Text Files SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding AddOutputFilterByType DEFLATE application/atom+xml \ application/javascript \ application/json \ application/rss+xml \ application/vnd.ms-fontobject \ application/x-font-ttf \ application/x-web-app-manifest+json \ application/xhtml+xml \ application/xml \ font/opentype \ image/svg+xml \ image/x-icon \ text/css \ text/html \ text/plain \ text/x-component \ text/xml # Set Expires Headers ExpiresActive on ExpiresDefault "access plus 1 month" ExpiresByType application/json "access plus 0 seconds" ExpiresByType application/xml "access plus 0 seconds" ExpiresByType text/xml "access plus 0 seconds" ExpiresByType text/html "access plus 0 seconds" ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" ExpiresByType text/cache-manifest "access plus 0 seconds" ExpiresByType application/rss+xml "access plus 1 hour" ############################# MISCELLANEOUS ############################# # Allow Cross-Domain Fonts Header set Access-Control-Allow-Origin "*"